From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2] systemd: Add support for --log-target
Date: Thu, 31 Mar 2016 08:32:39 -0400 [thread overview]
Message-ID: <56FD18E7.6030908@tresys.com> (raw)
In-Reply-To: <1459410042-21388-1-git-send-email-dac.override@gmail.com>
On 3/31/2016 3:40 AM, Dominick Grift wrote:
> https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
>
> see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
>
> v2: Add comment about dontaudit rule
Merged.
> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
> policy/modules/system/systemd.if | 19 +++++++++++++++++
> policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++-------------
> 2 files changed, 49 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 3cd6670..705cbaa 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -2,6 +2,25 @@
>
> ######################################
> ## <summary>
> +## Make the specified type usable as an
> +## log parse environment type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a log parse environment type.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_log_parse_environment',`
> + gen_require(`
> + attribute systemd_log_parse_env_type;
> + ')
> +
> + typeattribute $1 systemd_log_parse_env_type;
> +')
> +
> +######################################
> +## <summary>
> ## Read systemd_login PID files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 60a75fa..6d40952 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
> ## </desc>
> gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +attribute systemd_log_parse_env_type;
> +
> type systemd_activate_t;
> type systemd_activate_exec_t;
> init_system_domain(systemd_activate_t, systemd_activate_exec_t)
> @@ -113,16 +115,33 @@ init_unit_file(power_unit_t)
>
> ######################################
> #
> +# systemd log parse enviroment
> +#
> +
> +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
> +
> +kernel_read_system_state(systemd_log_parse_env_type)
> +
> +dev_write_kmsg(systemd_log_parse_env_type)
> +
> +term_use_console(systemd_log_parse_env_type)
> +
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
> +
> +######################################
> +#
> # Cgroups local policy
> #
>
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> +kernel_dgram_send(systemd_cgroups_t)
>
> init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> -
> -kernel_dgram_send(systemd_cgroups_t)
> +systemd_log_parse_environment(systemd_cgroups_t)
>
> #######################################
> #
> @@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
> files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> -
> seutil_read_file_contexts(systemd_locale_t)
>
> +systemd_log_parse_environment(systemd_locale_t)
> +
> optional_policy(`
> dbus_connect_system_bus(systemd_locale_t)
> dbus_system_bus_client(systemd_locale_t)
> @@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> -
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> optional_policy(`
> dbus_system_bus_client(systemd_hostnamed_t)
> dbus_connect_system_bus(systemd_hostnamed_t)
> @@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> init_service_status(systemd_logind_t)
> init_service_start(systemd_logind_t)
> -# This is for reading /proc/1/cgroup
> -init_read_state(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> -
> +systemd_log_parse_environment(systemd_logind_t)
> systemd_start_power_units(systemd_logind_t)
>
> udev_read_db(systemd_logind_t)
> @@ -234,7 +250,7 @@ optional_policy(`
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_log_parse_environment(systemd_sessions_t)
>
> #########################################
> #
> @@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_log_parse_environment(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2016-03-31 12:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-31 7:40 [refpolicy] [PATCH v2] systemd: Add support for --log-target Dominick Grift
2016-03-31 12:32 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56FD18E7.6030908@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.